What to Expect
63
Questions Analyzed
31
AWS Services
24%
IAM/Access Control
13%
Network + Encryption
Domain Weight Distribution
| Domain | Weight | Focus Areas |
|---|---|---|
| Access Control & Authentication | 24% | IAM policies, SAML, Cognito, Identity Center, ABAC, Permission Boundaries, SCPs |
| Network & Transport Security | 13% | ALB/NLB TLS, VPC endpoints, Network Firewall, Direct Connect, Security Groups |
| Data Protection & Encryption | 13% | KMS, CloudHSM, S3 Object Lock, EFS encryption, SNS data protection |
| Operations & Logging | 10% | CloudWatch, CloudTrail, Session Manager, Lambda logging |
| Compliance & Monitoring | 10% | Config rules, Inspector, Patch Manager, proactive evaluation |
| Threat Detection & Response | 6% | Security Hub, GuardDuty, Detective |
| DDoS & Bot Protection | 5% | WAF, Shield Advanced, Bot Control, CloudFront |
| Governance | 5% | Organizations, SCPs, RCPs, Tag policies |
| Incident Response | 5% | Credential revocation, forensics, FIS testing |
| Other | 9% | AMI sharing, StackSets, Service Catalog, Image Builder |
Trigger Words → Instant Answers
Identity & Access
| When You See... | The Answer Is... |
|---|---|
| "Mobile app" + "social login" + "consumers" | Amazon Cognito (User Pool + Identity Pool) |
| "Employees" + "multiple AWS accounts" + "SSO" | IAM Identity Center |
| "On-premises AD" + "AWS Console" | SAML 2.0 Federation (AD FS) |
| "Custom auth logic" + "mobile app" | Cognito Lambda triggers |
| "Preserve end user identity across services" | Trusted identity propagation |
| "One role" + "multiple services" + "project-scoped" | ABAC (tag-based access) |
| "Delegate IAM admin safely" + "prevent escalation" | Permission Boundaries |
| "100 users, own folder in S3" | Policy variables (${aws:username}) |
| "Third-party cross-account role" + "confused deputy" | sts:ExternalId |
| "EC2/Lambda needs AWS service access" | IAM execution role (never access keys) |
| "Associate role with EC2" + unauthorized error | iam:PassRole permission needed |
| "Revoke SAML role active sessions" | AWSRevokeOlderSessions |
| "External workload, no access keys" | IAM Roles Anywhere (X.509 certificates) |
| "Revoke Roles Anywhere access" | Revoke the certificate (CRL) |
Encryption & Data Protection
| When You See... | The Answer Is... |
|---|---|
| "FIPS 140-2 Level 3" | CloudHSM |
| "FIPS 140-2 Level 2" | KMS (standard) |
| "KMS convenience + HSM security" | Custom key store (KMS + CloudHSM) |
| "Import own keys" (BYOK) | Import to KMS from HSM |
| "Custom key rotation period (e.g., 90 days)" | Customer managed key (not AWS-managed) |
| "Encrypt existing unencrypted EFS" | New EFS file system (can't add encryption to existing) |
| "Litigation" + "unknown retention duration" | S3 Object Lock Legal Hold |
| "Known retention" + "nobody can modify, not even root" | S3 Object Lock Compliance Mode |
| "End-to-end encryption" + load balancer | NLB TCP listener + third-party cert on EC2 |
| "PII in SNS messages" | SNS message data protection policy |
| "Read encrypted parameter/secret" | Need BOTH read permission + kms:Decrypt |
| "External certs for Network Firewall TLS" | Import to ACM first |
Network & Infrastructure Security
| When You See... | The Answer Is... |
|---|---|
| "ALB" + "enforce TLS version" | Predefined ELBSecurityPolicy |
| "Automatic encryption between EC2s, no overhead" | Nitro v3+ instances |
| "Must not traverse public internet" + S3 | VPC endpoint (Gateway) |
| "Dedicated channel" + "IPsec" + S3 | Direct Connect (public VIF) + Site-to-Site VPN |
| "IPS" + "north-south traffic" + VPC | Network Firewall in dedicated subnets |
| "Real client IP behind ALB" | X-Forwarded-For header |
| "Block bots" + advanced | WAF Bot Control (targeted bots) |
| "Block part of country" (not whole) | CloudFront geo headers + Lambda@Edge |
| "DDoS Layer 3/4" | ALB + Auto Scaling (or Shield Advanced) |
| "DDoS Layer 7" | CloudFront + WAF |
| "SQLi / XSS protection" | WAF managed rule groups |
| "Brute force login" | WAF rate-based rules |
| "MITM attack prevention" | HTTPS with ACM |
Detection, Logging & Investigation
| When You See... | The Answer Is... |
|---|---|
| "Central view" + "manage findings" + "compliance" | Security Hub |
| "Investigate" + "scope" + "timeline" + "attack path" | Amazon Detective |
| "Detect threats" + "anomalies" automatically | GuardDuty |
| "Automated remediation of findings" | Security Hub custom actions → EventBridge → Lambda |
| "All Regions" + Security Hub | Cross-Region aggregation |
| "Log session commands to S3" | Session Manager preferences (built-in) |
| "EC2 local log files" + "monitor" | CloudWatch agent + metric filters + alarms |
| "Query future CloudTrail logs" + "single query" | CloudTrail Lake |
| "When did resource change?" | Config resource timeline |
| "Who made the API call?" | CloudTrail |
| "What protocols running on instance?" | Inspector (Network Reachability) |
| "Lambda internal processing issue" | DEBUG logging + X-Ray + CloudWatch Insights |
| "VPC Flow Log needs type field" | Create NEW flow log (can't modify existing) |
Governance & Organizations
| When You See... | The Answer Is... |
|---|---|
| "Prevent action" + "admin users can't bypass" | SCP on the specific OU |
| "Non-management account manages org service" | Delegated administrator |
| "Deploy Config rules as a package" | Organization conformance pack |
| "Enforce tag values" | Tag policy (enforce mode) |
| "Force tag to exist" | SCP (deny without tag) |
| "Both tag value AND presence" | Tag policy + SCP together |
| "Cross-account resource sharing" (S3, KMS) | RCP |
| "Eliminate root credentials" + "maintain actions" | Centralized root access management |
| "Share Private CA cross-account" | AWS RAM |
| "Standardized EC2 deployment across accounts" | Image Builder + Service Catalog |
| "Patch compliance" + "report + install" | SSM Patch Manager |
| "Interactive shell, no SSH keys" | Session Manager |
Incident Response
| When You See... | The Answer Is... |
|---|---|
| "Compromised access key" | Deactivate (not delete) + CloudTrail investigation |
| "Stop ALL current sessions" + role | Deny-all + revoke sessions + NACL block |
| "Forensic evidence preservation" | EBS snapshots + isolate (not terminate) |
| "Immutable evidence storage" | S3 Object Lock (Compliance mode) |
| "Test incident response plan" | AWS FIS (Fault Injection Service) |
| "Test AZ availability" | FIS AZ power interruption scenario |
| "Attack path analysis" | Amazon Detective |
| "Auto-quarantine across accounts" | Security Hub + SSM Automation runbooks |
Golden Rules to Memorize
Rule 1: The Caller Pays — Permissions are checked against the entity making the call, not the service in the middle. EC2 role needs kms:Decrypt, not SSM service role.
Rule 2: Two-Key Access — Encrypted data always needs TWO permissions: read the resource + decrypt the key. If either is missing = Access Denied.
Rule 3: Effective Permissions = Identity Policy ∩ Permissions Boundary ∩ SCP — All three must allow the action. Any layer blocking = denied.
Rule 4: Explicit Deny ALWAYS Wins — No amount of Allow statements override a single Deny. Deny > Allow > Default Deny.
Rule 5: Use the Native Feature — "Least overhead" = fewest services. Don't build pipelines when a checkbox exists. Config → Security Hub is automatic.
Rule 6: Deactivate, Don't Delete — Compromised access keys: deactivate first (reversible), test, then delete. Instances: isolate, don't terminate (preserve evidence).
Rule 7: SCP > IAM — Users with admin access can remove IAM policies. They CANNOT remove SCPs. For unbypassable guardrails, use SCPs.
Rule 8: Proactive > Reactive — "Prevent creation" = SCP, Config proactive eval, Service Catalog. "Detect after creation" = Config detective, EventBridge + Lambda.
The Security Trifecta
Detection → Aggregation → Investigation
GuardDuty (DETECT) → Security Hub (AGGREGATE) → Detective (INVESTIGATE)
"Something suspicious" "Here's everything" "Trace what happened"
ML-based, automatic Central dashboard Behavior graphs
Findings Compliance standards Attack path analysisCommon Exam Traps
Things That DON'T Work
| Trap | Reality |
|---|---|
| Share AMIs via RAM | AMIs use launch permissions, not RAM |
| Modify existing flow log format | Must create a new flow log |
| Add encryption to existing EFS | Must create a new encrypted EFS |
| Enable Object Lock on existing bucket | Must enable at bucket creation time |
| Export ACM-generated certificate private key | Cannot export — use third-party cert |
| GuardDuty blocks traffic | GuardDuty only detects, doesn't prevent |
| WAF inspects TLS version | TLS handshake happens before WAF sees request |
| Inspector examines live traffic | Inspector scans for vulnerabilities, not traffic |
| Config tracks user actions | Config tracks resource state; CloudTrail tracks actions |
| CloudTrail logs session commands | CloudTrail logs API calls; Session Manager logs commands |
| Trusted Advisor generates compliance reports | Trusted Advisor gives best practice recommendations |
| SNS access policy filters message content | Access policies control WHO; data protection policies control WHAT |
| AWS-managed key custom rotation | AWS-managed keys rotate at 365 days fixed; use customer managed for custom |
| S3 Batch Operations across multiple buckets | Manifest requires all objects in same bucket |
| Legal hold on S3 bucket | Legal holds are per-object, not per-bucket |
Organization Policy Quick Reference
Five Policy Types
| Policy | Controls | Example |
|---|---|---|
| SCP | What principals can DO | Deny DeleteTrail, restrict instance types |
| RCP | How resources are SHARED | Share KMS keys, S3 cross-account access |
| Tag policy | How resources are TAGGED | Enforce billing code values |
| Backup policy | How resources are BACKED UP | Enforce backup schedules |
| AI opt-out | AI service DATA USAGE | Opt out of AI training |
Error Message Decoder
Match the Error to the Cause
| Error | Category | Check |
|---|---|---|
| "Access Denied" | Permissions | IAM role, SCP, permissions boundary, KMS key policy |
| "Explicit Deny" | SCP or explicit deny | Organization-level restriction |
| "Already Exists" | Naming conflict | Duplicate resource name |
| "UnauthorizedOperation" | Missing IAM permission | Check caller's policies |
| "KMS key is disabled" | Key state | Enable the KMS key |
| "Missing kms:ListAliases" | Permissions boundary | Check boundary allows KMS actions |
The #1 Exam Strategy
Read the Question for These Clues
- "Least operational overhead" = fewest services, native/built-in features
- "Most secure" = technical controls (policies), not procedural (SOPs)
- "Prevent" = proactive controls (SCP, Config proactive, Service Catalog)
- "Detect" = reactive controls (Config detective, GuardDuty, EventBridge + Lambda)
- "Before provisioning" = Config proactive evaluation or SCP
- "After provisioning" = Config detective evaluation or remediation
- "Regardless of provisioning method" = SCP or tag policy (not CloudFormation hooks)
- "Fewest configuration steps" = check for automatic integrations (Config → Security Hub)
- "Immediately" = revoke sessions, deny-all policy, NACL block
- "Eliminate credentials" = must NOT EXIST (rotation ≠ elimination)